The BuildSecurityDescriptor function allocates and initializes a new security descriptor. A security descriptor is an opaque structure that contains the security information associated with an object. The function can initialize the new security descriptor by merging specified security information with the information in an existing security descriptor. If you don’t specify an existing security descriptor, the function initializes a new security descriptor based on the specified security information.
BuildSecurityDescriptor creates a self-relative security descriptor, which means that the security descriptor stores a SECURITY_DESCRIPTOR structure and associated security information in a contiguous block of memory. The self-relative format makes the security descriptor suitable for storing in a stream.
DWORD BuildSecurityDescriptor(
PTRUSTEE pOwner, |
// identifies owner for new security descriptor |
PTRUSTEE pGroup, |
// identifies group for new security descriptor |
ULONG cCountOfAccessEntries, |
// number of access-control entries in the list |
PEXPLICIT_ACCESS pListOfAccessEntries, |
// pointer to list of access-control entries for DACL |
ULONG cCountOfAuditEntries, |
// number of audit-control entries in the list |
PEXPLICIT_ACCESS pListOfAuditEntries, |
// pointer to list of audit-control entries for SACL |
PSECURITY_DESCRIPTOR pOldSD, |
// pointer to an existing security descriptor |
PULONG pSizeNewSD, |
// pointer to the size of the new security descriptor |
PSECURITY_DESCRIPTOR * pNewSD |
// pointer that receives the new security descriptor |
); |
If this parameter is NULL, the function uses the owner SID from the original
security descriptor pointed to by pOldSD. If pOldSD is NULL, or
if the owner SID in pOldSD is NULL, the owner SID is NULL in the new
security descriptor.
If this parameter is NULL, the function uses the group SID from the original
security descriptor pointed to by pOldSD. If pOldSD is NULL, or
if the group SID in pOldSD is NULL, the group SID is NULL in the new
security descriptor.
If pListOfAccessEntries is NULL, the new security descriptor gets the
DACL from pOldSD. In this case, if pOldSD is NULL, or if the
DACL in pOldSD is NULL, the new DACL is NULL.
If pListOfAuditEntries is NULL, the new security descriptor gets the
SACL from pOldSD. In this case, if pOldSD is NULL, or the SACL
in pOldSD is NULL, the new SACL is NULL.
If the function succeeds, the return value is ERROR_SUCCESS.
If the function fails, the return value is a nonzero error code defined in WINERROR.H.
The BuildSecurityDescriptor function is intended for trusted servers that implement or expose security on their own objects. The function uses self-relative security descriptors suitable for serializing into a stream and storing to disk, as a trusted server might require.
ACL, EXPLICIT_ACCESS, LocalFree, SECURITY_DESCRIPTOR, SetEntriesInAcl, SID, TRUSTEE